[cifs-protocol] Clarify AEAD behaviour for GSSAPI with AES

Hongwei Sun hongweis at microsoft.com
Thu Aug 7 22:03:25 GMT 2008

Hi, Andrew,

Thanks for your comments and the diagram attached. The security product group will review the content of the diagram to see whether we can incorporate it into the document.

Before we can use the diagram, we would like to confirm that Mr. Astrand is covered by the PFIF WSPP agreement that gives Microsoft a broad license to use and distribute any comments or suggestions to improve the WSPP documentation. This license is dependent on whether Mr. Astrand is a member of PFIF/Samba.  We also need to know if the he is expecting attribution for the work.

We appreciate your efforts to help us improve protocol documentation.


Hongwei  Sun - Support Escalation Engineer
DSC Protocol  Team, Microsoft
hongweis at microsoft.com
Tel:  469-7757027 x 57027

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Monday, August 04, 2008 7:13 PM
To: Hongwei Sun
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: [cifs-protocol] Clarify AEAD behaviour for GSSAPI with AES

On Thu, 2008-07-31 at 14:36 -0700, Hongwei Sun wrote:
> Andrew,
>    The  encryption function in Kerberos is described in details in 5.3
> [RFC3961] (http://www.ietf.org/rfc/rfc3961.txt), which is referenced
> by [MS-KILE].
>     I can summarize  as follows
> ·        "conf" is actually a random confounder prefix  of length
> c ,such as 16.
> ·        "pad" is for shortest padding to bring confounder and
> plaintext to a length that is the multiple of message block size m,
> which is octet(8) for AES encryption, as specified in  section 6 [RFC
> 3962] (http://www.ietf.org/rfc/rfc3962.txt)
> ·         Ke is an encryption key and Ki is a checksum key.
> ·        Plain text is the input confidential data before encryption.
> ·        The GSSWrapEX()  is exactly the same as the GSSWrap except
> that it supports ordered list of input buffers.  Input buffers for
> which conf_req_flag == TRUE are encrypted and returned. Buffers which
> sign == TRUE are included in the signature.
> ·        We use the Kerberos standard’s encryption and signatures.
> It is very important to  concatenate  the correct buffers to make it
> work.

Indeed - and that is why I am asking for this to be much more clearly specified.

I find digrams much more useful - see the attached work by Love Hörnquist Åstrand <lha at kth.se>.

Can you please expand MS-KILE with this information?


Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list